CandidATS 3.0.0 - Cross-Site Scripting.

CandidATS 3.0.0 contains a cross-site scripting vulnerability via the sortBy parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

CandidATS 3.0.0 - Cross-Site Scripting

CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

CVE-2019-25738

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

CVE-2026-49491

Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information includi...

PT-2026-41557

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the current page parameter sent to the ajax.php endpoint, whic...

CVE-2021-47977 WordPress Anti-Malware Security Bruteforce Firewall <= 4.20.72 Directory Traversal

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter. Attackers can send requests to the duplicatordownload action via admin-ajax.php wit...

CVE-2026-8083

SourceCodester Pharmacy Sales and Inventory System 1.0 contains a SQL injection vulnerability in /ajax.php?action=save_user caused by manipulation of the ID parameter. Exploitation is remote and publicly disclosed. Affects an unknown portion of the application; CVSS metrics indicate high impact o...

CVE-2026-7409

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function saveuser of the file /admin/ajax.php?action=saveuser. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used...

CVE-2026-7409 SourceCodester Pizzafy Ecommerce System ajax.php save_user sql injection

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function saveuser of the file /admin/ajax.php?action=saveuser. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used...

funadmin has Incorrect Privilege Assignment in its Configuration Handler

A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has bee...

PT-2026-21400

Name of the Vulnerable Software and Affected Versions funadmin versions up to 7.1.0-rc4 Description A weakness exists in funadmin that could lead to improper authorization. This is due to a manipulation possible in the setConfig function within the app/backend/controller/Ajax.php file of the...

PT-2026-20464

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin class.php based on the action parameter. An unauthenticated remote attack...

CVE-2023-49546

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customersupport/ajax.php...

CVE-2023-49548

Customer Support System v1 was discovered to contain a SQL injection vulnerability via the lastname parameter at /customersupport/ajax.php?action=saveuser...

CVE-2022-42747

CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks...

CVE-2025-15375

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. Th...

CVE-2025-15375

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. Th...

CVE-2025-15375

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. Th...

EyouCMS 代码问题漏洞

EyouCMS is an open source content management system CMS based on ThinkPHP by China Eyou Eyou. A code issue vulnerability exists in EyouCMS 1.7.7 and earlier versions, which stems from incorrect manipulation of the parameter attstr in the file application/api/controller/Ajax.php, which could lead ...

PT-2025-50754

Name of the Vulnerable Software and Affected Versions Purei CMS version 1.0 Description Purei CMS version 1.0 contains a time-based blind SQL injection vulnerability. Attackers can manipulate database queries through unfiltered user input parameters. The vulnerability can be exploited through...